search

hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.59k stars 4.62k forks source link

Support for creating a User Delegation SAS token for Azure Storage #23727

Open dvasdekis opened 11 months ago

dvasdekis commented 11 months ago

Is there an existing issue for this?

Community Note

Description

Both Azure API and Azure CLI support creating a User Delegation SAS key, which is a storage account key signed against the user's credentials, rather than signing it against the main storage account key.

This means we can prevent auth using the storage account key (see here, our storage account has this set to false) but still allow our service principal to create working SAS tokens.

At present, our SAS tokens created when shared_access_key_enabled = false do not work as they are based on the disabled account key. User delegation keys allow for this.

New or Affected Resource(s)/Data Source(s)

data.azurerm_storage_account_sas

Potential Terraform Configuration

data "azurerm_storage_account_sas" "example" {
  connection_string = azurerm_storage_account.example.primary_connection_string
  https_only        = true
  # Below would be a new parameter
  key_type = "UserDelegation" # One of UserDelegation, AccountKey. Defaults to AccountKey

  resource_types {
    service   = true
    container = false
    object    = false
  }

  services {
    blob  = true
    queue = false
    table = false
    file  = false
  }

  start  = "2023-10-21T00:00:00Z"
  expiry = "2024-10-20T00:00:00Z"

  permissions {
    read    = true
    write   = true
    delete  = false
    list    = false
    add     = true
    create  = true
    update  = false
    process = false
    tag     = false
    filter  = false
  }
}

output "sas_url_query_string" {
  value = data.azurerm_storage_account_sas.example.sas
}

References

No response

anish3389 commented 1 month ago

Are we going to have this in future?